Like it or not, cyberspace is loaded with as many bad actors as a discount, all-you-can-eat dinner theatre.
Motivation is a key element to keep in mind when considering bad actors, says Scott Riccon, principal consultant with global technology research and advisory firm ISG. "Financial, political, hacktivism, or personal interest can motivate bad actors' behavior and the targets they engage," he explains. Also important is sponsorship: the entities who fund, protect, and direct attacker activities. "Protecting against an individual is much easier than protecting against a group sponsored by a nation-state with significantly more resources than a single organization can typically bring to defend itself," Riccon observes.
Cyberspace is rife with bad actors. Four, in particular, are creating a massive amount of mayhem:
Also known as Gold Niagara, ITG14, and Carbon Spider, FIN7 is a financially motivated threat group. The operation has been active since 2013, primarily targeting the U.S. retail, restaurant, and hospitality sectors, often using point-of-sale malware, Riccon says.
In 2020, FIN7 shifted operations to a “big game hunting” approach, Riccon says, including the use of REvil ransomware and their own Ransomware-as-a-Service (RaaS), Darkside. "Darkside was responsible for the Colonial Pipeline ransomware attack on May 7, 2021, which disrupted 45 percent of fuel to the East Coast of the United States," he says. "One analysis showed that Darkside received over $90M in ransom payments from at least 47 victims, with the average ransom payment of $1.9M."
FIN7 may be linked to the Carbanak Group, while REvil was effectively taken down in January 2022 by the Russian Federal Security Service at the request of the U.S. government. "Their footprint and legacy remain prevalent as many other groups are leveraging techniques developed by this group," Riccon notes. "These groups often shut down, regroup, and rebrand to continue their efforts."
Cozy Bear, also known as APT29, is associated with the group names NOBELIUM, YTTRIUM, and UNC2452. All are suspected to be linked to the Russian Foreign Intelligence Service and related state-sponsored groups.
Cozy Bear is the group responsible for the Democratic National Committee (DNC) compromise that led to large-scale distrust in the U.S. election system, observes Aaron Rosenmund, director of security research and curriculum at technology workforce development firm Pluralsight. The group is also believed to be responsible for the SolarWinds malware supply chain attack.
Regionally-associated Cozy Bear groups are also attributed with a Ukrainian critical infrastructure attack in 2015 and the deployment of NotPetya destructive malware, disguised as ransomware, in 2017. APT29 and associated threat actors aren't focused on financial gain, Rosenmund says. "Instead, they are interested in the destabilization of public opinion and gaining access to critical infrastructure to cause real-world harm."
Nation-state level cyber threat activity accounts for about a third of the cost of cyberattacks yearly while being less than 10 percent of the total count of attacks that are reported, Rosenmund notes. "This means that when they do strike, it is on average more costly and causes more damage."
Also known as LockBit Black, LockBit 3.0, is regarded by many security professionals as today’s leading bad actor. At the start of 2022, there was a lull in ransomware activities, says Alex Applegate, senior threat researcher at DNSFilter, a domain name system threat protection, and content filtering technology provider. "Flash forward to recent months, and LockBit 3.0 leads a new surge that catches, and maybe even surpasses, anything we have seen before."
LockBit continues to be recognized as a prolific ransomware group, launching effective campaigns and a strong desire to prove themselves as the "best" professional ransomware crew. "As evidence, they have entered partnerships with other top-tier actors, such as EvilCorp, evolved technical capabilities, and even offered the first 'bug bounty' from a ransomware actor to challenge the research community," Applegate says.
LockBit is primarily financially driven. They are a "double extortion" attacker, with two ransoms at play, Applegate notes. The attackers first disrupt operations by encrypting a business' systems for ransom. They then steal enterprise data for ransom. If the ransoms aren't paid in full, they release the data on a website to anyone who wishes to purchase it.
Another strong contender for today's top network bad actor is the hacker group known as Anonymous. This organization is particularly dangerous due to its extreme versatility since it can reportedly take down entire networks with just a few clicks. Anonymous first appeared in the early 2000s and has caused massive damage to a wide range of organizations over the years. Some of their most famous attacks include taking down websites operated by the FBI, CIA, and Mastercard.
What makes Anonymous uniquely dangerous is its sheer versatility, says Cameron Toole, CFO at IBR, a federal student loan repayment program company. "They can take down websites with just a few clicks, but they can also steal sensitive information or even break into networks," he notes. "They are also very good at staying hidden, which makes them difficult to track down and stop."